What it will take for cybersecurity to become common sense

Changing your password needs to become like washing your hands after using the bathroom -- a habit. We’re a long way off from that.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read

We apply common sense to a lot of things we do in life. Apparently not cybersecurity.

Aaron Robinson/CNET

Look both ways before you cross the street. Wash your hands before leaving the bathroom. Put a seat belt on when you get in the car. Don't eat the yellow snow.

These are all common sense tips for safety that people have learned, whether from parents or one really embarrassing moment in the winter. But when it comes to cybersecurity, common sense is rare.

There are still thousands of people who think "password" is a good idea for a password. In 2016, Keeper Security looked at 10 million passwords stolen in data breaches, and 1.7 million of them were "123456."

Before you laugh at these stupid passwords -- which you absolutely should -- note that they underscore the fact we're all kind of terrible when it comes to protecting our own personal data. It's that kind of environment that opens the door to things like the massive WannaCry attack, which largely proliferated because people were reluctant to upgrade to newer, more secure software.  

In March, the Pew Research Center surveyed more than 1,000 American adults on what they knew about cybersecurity. The survey asked what's two-factor authentication, what is a virtual private network and how secure is public Wi-Fi.

On average, people only answered five out of the 13 questions correctly. Only 1 percent of respondents got every question right.

"Everyone is kind of hitting at a D level for these things," Aaron Smith, the Pew Research Center's associate director behind the study said. The survey is just a glimpse of what's common sense when it comes to cybersecurity, and apparently, only 1 percent of Americans have it.

See how you fare, take it here.

Knowledge gap

For experts, this knowledge gap is becoming a serious problem. Last year alone, there were 689 million people in 21 countries hit by cybercrime, with the number of victims rising 10 percent annually for the last three years.

According to cybersecurity experts, if people developed better habits like with washing their hands, but against cyberthreats, it would drastically reduce the number of breaches, hacks and malware victims, the same way that wearing seat belts reduced the risk of fatal accidents by nearly 50 percent.

WannaCry is a cautionary tale about what happens when people don't practice safe security. The devastating ransomware hit hospitals, banks, universities and airports in 150 countries in May, despite the fact that Microsoft released the patch for the exploit in March.

While it targeted outdated systems like Windows XP, a majority of the victims were on Windows 7, which meant that victims didn't update their software.

"I look at cybersecurity the way I might look at a public health issue, traffic safety or other kinds of broad or universal society safety issues," Michael Kaiser, executive director of the National Cyber Security Alliance said. "We think about how you help people create these good or better habits over time. Part of that is just repetition."

People are starting to learn more about cybersecurity as a matter of common sense, but Kaiser believes we're still a long way from it. The same way that it took decades for doctors to go from endorsing cigarettes to universally accepting that smoking is harmful, Kaiser sees an uphill battle to get people mindful of their digital hygiene.

"We have probably another 10 or 20 years to pound away with the messaging to get people to do stuff," Kaiser said.

For now, people are just starting to pick up on common sense digital safety practices. The five questions that most people got right on the Pew Research quiz were on subjects people deal with every day: passwords, Wi-Fi and multi-factor authentication. When it came to more nuanced issues, like what's a rootkit, people were less aware.

"The more technical the questions get, the further removed they are from a day-to-day experience," Smith said.

The hope is though, that the average person won't have to worry about all the technical details in the future. Researchers want ensuring safety online to be as simple as clicking a seat belt.

Common sense roadblocks

Cybersecurity has a problem with developing common sense for people because there's just too much advice, and too many devices.

Technology is always changing, bringing new vulnerabilities, and more precautions that you have to take.

You've protected your Facebook account with two-factor authentication, now you need to change the default password on some smart toothbrush. Or turn off your Wi-Fi in public areas. You need to back up all your systems -- yes, the one on your toothbrush, too.

"If a consumer has to remember 25 different things just to stay safe online, that's too much," Neil Daswani, interim chief information security officer at Symantec said. "Unfortunately in the world, it doesn't take much to exploit a connected device."

Imagine if a different kind of seat belt came out every two years, with a new way to click it in. It'd be frustrating. Unfortunately, in cybersecurity, it's a reality and a major obstacle, especially since old habits are hard to kill.

"It takes time as a society to develop more and more common sense and make it tech in nature," Daswani said.

The hope is that by the next generation, children growing up today will have better access to information on online safety as digital natives, and pass on the knowledge as common sense. Until then, the National Cyber Security Alliance tries to raise awareness with things like "Data Privacy Day" and "World Password Day."

If everything goes right and cybersecurity becomes common practice, awareness days like those will become obsolete.

"If everybody was doing everything they needed to do, we could happily go out of business," Kaiser said. "I think we're a ways from that yet."

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Batteries Not Included: The CNET team reminds us why tech is cool.